ALPHV/BlackCat gang vanishes amid ransomware ‘turmoil’

In what is turning into a tumultuous period for the cyber criminal underground, the ALPHV/BlackCat ransomware crew has turned off its server infrastructure in an apparently self-imposed takedown, amid allegations that the group’s ringleaders had stolen millions of dollars from an affiliate that recently attacked an American healthcare services provider.

The takedown at first appeared to be the result of a coordinated takedown by law enforcement agencies, but according to Reuters, the National Crime Agency (NCA) – which led on Operation Cronos, the recent takedown of the LockBit operation – said that no law enforcement action has occurred.

The waters were muddied still further by the emergence of a Sunday 3 March statement posted in broken English to one of the major underground forums by a supposed affiliate of ALPHV/BlackCat.

The poster claimed they had been working with ALPHV/BlackCat for a long time, and on 1 March received a $22m ransom payment from Minneapolis, Minnesota-based United Health Group, the parent of the ransomware-stricken Change Healthcare.

However, they said, after receiving the payment, the ALPHV/BlackCat team “decide to suspend our account and keep lying and delaying when we contacted ALPHV admin on Tox”.

They added: “He kept saying they are waiting ro [sic] chief admin and the coder until today they emptied the wallet and took all the money…. Be careful everyone and stop deal with ALPHV.”

“It’s important to emphasise that this is all speculation,” said Yossi Rachman, Semperis director of security research. “I do agree that it looks a little odd, because ALPHV might lose business over it. Then again, it’s not a bricks-and-mortar business, so if they did decide to steal the money and run, they can just as easily set up a new business under a different name.

“Overall, no one outside of in the inner circles of ALPHV, their affiliate and Change Healthcare are privy to this information about who paid or did not pay. And you know what they say in the cyber security industry about there being no honour among thieves. So, nothing surprises me.”

WithSecure senior threat intelligence analyst Stephen Robinson echoed Rachman’s sentiment on taking anything at face value. “Any statement from cyber criminals is inherently untrustworthy, ALPHV appears to have gone offline, but we don’t know why,” he said.

“The claim regarding the affiliate payment is kind of interesting, but similarly untrustworthy. For a RaaS operation to work, the affiliates and the core group must trust each other, so ‘stealing’ or withholding payment from an affiliate would be very unusual. However, cyber criminals often make efforts to stay below the radar of law enforcement, and to avoid committing attacks which will have real-world impacts leading to focused attention from international law enforcement.

“The Change Healthcare compromise has had significant, long-lasting, real-world impact in the US. If ALPHV have refused to pay the affiliate who performed the attack and banned them from the operation, it could be because they think it was too high profile an attack, or it broke the rules of the operation, whatever they are,” he said. “It is possible that ALPHV are about to rebrand under a different name to avoid law enforcement attention, but that is just speculation.”

This would speak to ALPHV/BlackCat’s roots – similarly speculative for the most part – in the DarkSide operation which attacked Colonial Pipeline in 2021.

This attack, which cased real-world impact and disruption to fuel supplies across a swathe of the US, brought the issue of ransomware to global mainstream attention and led to big changes in Western policy.

It also resulted in a coordinated law enforcement operation against the gang, which recovered a significant proportion of the ransom Colonial Pipeline paid.